FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 190956
This article describes how to authenticate PKI users on FortiGate via SSL VPN using two factor authentication with certificate.
The existing SSLVPN policies needs to be adapted in case new groups are added in this setup.

In general a CA certificate is needed which sings user certificates that the users can use to authenticate themselves against other entities.
Those client certificates will also be used in this article.

- Set up the PKI for this first.
- Import the users CA Certificate to the FortiGate by going to System -> Certificate -> Import CA Certificate (.crt).

On the client side.

- Import the users certificate signed by the trusted CA with private key and certificate (BOTH are required!) to the client: either on the browsers 'Privacy & Security' section or the Windows 'Certificate Store' to be accessed by other applications as the FortiClient.
- Private key and certificate file can either be in a bundled file as PKCS#12 file (.p12) or as separate .cer/.crt and .key file.

From GUI, under SSL-VPN settings.

- Eventually change the server Certificate and select certificate with the subject as the FortiGate FQDN that clients access for VPN, ideally another one signed by a CA that the connecting client is trusting.
Otherwise the user receive warnings about an invalid server certificate.
- Enable require client certificate (radio button in green).

Create a PKI user from CLI.
# config user peer
    edit "pki_user"
        set ca "CA_Cert_1"
        set subject "CN = student"
        set two-factor enable
        set passwd Pa$$w0rd
Then the section 'PKI' for the certificate users will appear in the GUI under User & Device -> PKI (after refreshing the GUI).
In the 'set subject field' enter the exact name (CN) that is displayed in the user certificate, it can be very different from this example.

SSL VPN Group.

Add the created PKI user to the SSLVPN group under User&Device -> User Group.

Now test the connection with the browser connection for web mode or the FortiClient for tunnel mode.
Authenticate the remote user, using FortiClient (PKI user with password and certificate):

To verify, enable the debug log on from CLI while connecting:
# diagnose debug console timestamp enable
# diagnose debug application fnbamd -1
# diagnose debug application sslvpn -1
# diagnose debug enable

2020-05-06 10:13:28 [1250] __fnbamd_build_cert_chain-Chain is complete.

2020-05-06 10:13:28 [1460] peer_subject_cn_check-Cert subject 'CN = student'

2020-05-06 10:13:28 local auth is done with user 'pki_user', ret=0

Related Articles

Technical Tip: PKI peer user creation for certificate authentication

Technical Tip: Configure admin certificate authentication